This adds `VERIFY_X509_STRICT` to make the default
SSL context perform stricter (per RFC 5280) validation, as well
as `VERIFY_X509_PARTIAL_CHAIN` to enforce more standards-compliant
path-building behavior.
As part of this changeset, I had to tweak `make_ssl_certs.py`
slightly to emit 5280-conforming CA certs. This changeset includes
the regenerated certificates after that change.
Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: Victor Stinner <vstinner@python.org>
If OpenSSL was built without PSK support, the python TLS-PSK
methods will raise "NotImplementedError" if called.
Add a constant "ssl.HAS_PSK" to check if TLS-PSK is supported
Add support for TLS-PSK (pre-shared key) to the ssl module.
---------
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Adds APIs to get the TLS certificate chains, verified or full unverified, from SSLSocket and SSLObject.
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Fixes https://github.com/python/cpython/issues/89051
The function has been removed. In the ssl documentation, replace
references to the ssl.wrap_socket() function with references to the
ssl.SSLContext.wrap_socket() method.
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Remove dead code related to ssl.PROTOCOL_SSLv2. ssl.PROTOCOL_SSLv2
was already removed in Python 3.10.
In test_ssl, @requires_tls_version('SSLv2') always returned False.
Extract of the removed code: "OpenSSL has removed support for SSLv2".
example.com is reserved by the IANA as special-use domain name for documentation
purposes. The domain names are used widely in books, tutorials, sample network
configurations, and generally as examples for the use of domain name.
On the other hand, mydomain.com is real Domain Name Registration service.
- skip doctest that changes depending on target system
- skip doctest that only fails on CI
- substitute in values that change depending on target system
Undo rejected PEP-663 changes:
- restore `repr()` to its 3.10 status
- restore `str()` to its 3.10 status
New changes:
- `IntEnum` and `IntFlag` now leave `__str__` as the original `int.__str__` so that str() and format() return the same result
- zero-valued flags without a name have a slightly changed repr(), e.g. `repr(Color(0)) == '<Color: 0>'`
- update `dir()` for mixed-in types to return all the methods and attributes of the mixed-in type
- added `_numeric_repr_` to `Flag` to control display of unnamed values
- enums without doc strings have a more comprehensive doc string added
- `ReprEnum` added -- inheriting from this makes it so only `__repr__` is replaced, not `__str__` nor `__format__`; `IntEnum`, `IntFlag`, and `StrEnum` all inherit from `ReprEnum`
Specify that SSLContext.set_default_verify_paths is called on ALL systems.
The code of SSLContext.load_default_certs was changed in bpo-22449 to do this,
this fix corrects the documentation to match that change.
Replace old names when they refer to actual versions of macOS.
Keep historical names in references to older versions.
Co-authored-by: Patrick Reader <_@pxeger.com>
The ssl module now uses ``SSL_read_ex`` and ``SSL_write_ex``
internally. The functions support reading and writing of data larger
than 2 GB. Writing zero-length data no longer fails with a protocol
violation error.
Signed-off-by: Christian Heimes <christian@python.org>
Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not
copy hostflags from *struct SSL_CTX* to *struct SSL*.
Signed-off-by: Christian Heimes <christian@python.org>
Hugo van Kemenade
William Woodruff
Serhiy Storchaka
Carl Bordum Hansen
Rami
Thomas Grainger
Jan Brasna
Grant Ramsay
Ezio Melotti
Mateusz Nowak
Jocelyn Castellano
Rafael Fontenelle
Benjamin Fogle
Simon Robinson
Illia Volochii
Victor Stinner
Christian Heimes
Oleg Iarygin
Motoki Naruse
Frederick
Jörn Heissler
Ethan Furman
Kumar Aditya
LincolnPuzey
Mariusz Felisiak
Anton Grübel
Zackery Spytz
l0x